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Abstract 

Chaotic systems have been broadly exploited through the last two decades to build 
encryption methods. Recently, two new image encryption schemes have been pro- 
posed, where the encryption process involves a permutation operation and an XOR- 
like transformation of the shuffled pixels, which are controlled by three chaotic sys- 
tems. This paper discusses some defects of the schemes and how to break them with 
a chosen-plaintext attack. 
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1 Introduction 



When we think about exchanging information we are very interested in find- 
ing a way to make it fast and secure. Modern telecommunications technolo- 
gies allow to send and receive files, images, and data in a relatively short 
time depending on the bandwidth available. Nowadays, the use of traditional 

* Corresponding author: David Arroyo (david.arroyo@iec.csic.es). 



Preprint submitted to Physics Letter A 



2 February 2008 



symmetric and asymmetric cryptography is the way to secure the informa- 
tion exchange [1,2]. However, applications involving digital images and videos 
demand other encryption schemes. Indeed, the bulky size and the large re- 
dundancy of uncompressed videos/images make it necessary to look for new 
methods to deal with those features in order to facilitate the integration of 
the encryption in the whole processing procedure. For recent surveys on image 
and video encryption, please refer to [3-6]. 

The main features of chaotic systems (sensitivity to initial conditions, ergod- 
icity, mixing property, simple analytic description and high complex behavior) 
make them very interesting to design new cryptosystems. Image encryption 
is an area where chaos has been broadly exploited. In fact, chaotic systems 
have been used to mask plain-images through XOR-like substitution opera- 
tions [7], spatial permutation [8] or the combination of both techniques [9]. 
This paper is focused on two image encryption schemes proposed in [10,11]. 
In both papers the image encryption is based on a secret permutation derived 
from the logistic map, and a masking of the gray-scale values of the shuffled 
pixels with a keystream generated from one or two chaotic systems. The only 
difference between the two encryption schemes is that in [10] two chaotic sys- 
tems (Lorenz and Chen's systems) are used to generate the keystream, while 
in [11] only one hyper-chaotic system is used. Because such a difference is 
independent of the security, we only focus on the cryptanalysis of the scheme 
proposed in [10]. 

The rest of this paper is organized as follows. The scheme under study is 
described briefly in the next section. In Sec. [3] some important problems of 
the cryptosystem are remarked. Then, a chosen-plaintext attack is described in 
Sec. H] along with some experimental results. In the last section the conclusion 
is given. 



2 The encryption scheme 

Assuming that the size of the plain-image I is M x N and the cipher-image is 
I', the encryption scheme proposed in [10] can be described by the following 
two procedures. Please note that we use different notations from the original 
ones in [10] to get a simpler and clearer description. 

• Shuffling procedure 

In this procedure, the plain-image I is permuted to form an intermedi- 
ate image I* according to a total shuffling matrix P*, which is derived by 
pseudo-randomly permuting the rows and columns of the original position 
matrix P = The pseudo-random row and column permutations are 

generated by iterating the logistic map x n+ i = 4x n (l — x n ) from a given 
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initial condition xq. 
• Masking procedure 

In this procedure, the intermediate image I* is further masked by a 
keystream {B(i)}V* as follows: \/i = 1 ~ MN, = I*(i)®B{i)® 
where denote the i-th pixels of I* and I' (counted from left to right 

and from top to bottom), respectively, and I'(0) = 128. 

The keystream {B(i)}fli is generated by iterating the Lorenz and Chen's 
systems and doing some postprocessing on all the 6 chaotic variables (the 
first iVo iterations of Lorenz system and the first M iterations of Chen's 
systems are discarded to enhance the security). Because our cryptanalysis 
succeeds regardless of the keystream's generation process, we ignore this 
part and readers are referred to Sec. 2.3 of [10] for details. 

In [10], it is claimed that the secret key includes the initial values of the Lorenz 
and Chen's systems and the number of initial iterations iVo, M . It is quite 
strange why the initial condition of the logistic map is not claimed to be part 
of the key, since the image encryption scheme is based on "a new total shuffling 
algorithm" (as can be seen in the title of [10]). In this cryptanalysis paper, we 
assume that the initial condition of the logistic map is also part of the key. We 
believe it is also the original intention of the authors of [10]. In addition, note 
that both P* and {B(i)}fi± are independent of the plaintext and ciphertext, 
so they can be used as an equivalent key. 



3 Design weaknesses 

In this section, we discuss some defects of the scheme under study. 



3.1 Low sensitivity to the change of plain-image 

It is well known that the ciphertext of a secure encryption scheme should 
be very sensitive to the change of plaintext [12, Rule 9]. Unfortunately, the 
encryption scheme under study fails to satisfy this requirement. Given two 
plain-images Io and Ii with only one pixel difference at the position 
the difference will be permuted to a new position according to the 

shuffling matrix P*. Then, because all plain-pixels before are identical 

for the two plain-images, the ciphertexts will also be identical. This shows 
the low sensitivity of the image encryption scheme to changes in the plain- 
image. Figure [1] gives an example of this problem. It can be seen how the 
differential cipher-image is equal to zero for any pixel before and equal 

to a constant value after that position. 
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(c) 

Fig. 1. Illustration of the low sensitivity to the change of the plain- image: (a) the 
first plain- image Io; (b) the second plain-image Ii (only the center pixel is different 
from Io); (c) the differential cipher- image I © 1^. 



3.2 Reduced Key space 



As claimed in [10], N and M are also part of the key. However, from an 
attacker's point of view, he/she only needs to guess the chaotic states after 
the Nq and M chaotic iterations as the initial conditions of the Lorenz and 
Chen's systems. In this way, Nq and M are removed from the key and the 
key space is reduced. 
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3.3 Problem with chaotic iterations of Lorenz and Chen's systems 

In [10], the authors did not say anything about the time step r of iterating 
the Lorenz and Chen's systems. However, the randomness of the keystream 
{B(i)}ff,i is tightly dependent on the value of time step. As an extreme exam- 
ple, if r = 1CT 20 , we will get a keystream of identical elements (according to the 
algorithm described in Sec. 2.3 of [10]). As a matter of fact, the value of r is de- 
pendent on the multiplication factor 10 13 occurring in Step 4 of the encryption 
process (see Sec. 2.3 of [10]): x { = mod ((abs(rcj) -Floor(abs(xj))) x 10 13 ,256). 

3.4 Low encryption speed 

Because the chaotic iterations of Lorenz and Chen's systems involve compli- 
cated numerical differential functions, the encryption speed is expected to be 
very slow compared with other traditional ciphers. To asses this fact, we de- 
rived a modified encryption scheme from the original one by replacing the 
Lorenz and Chen's systems with the logistic map, and then compared the 
encryption speeds of the two cryptosystems. Both cryptosystems were im- 
plemented using MATLAB on a PC with a 1.6GHz processor and 512MB of 
RAM. For images of size 256 x 256, the typical encryption time for the original 
cryptosystem in [10] was around 5.8 seconds, while the modified cryptosystem 
based on the logistic map required in average around 1.2 seconds to encrypt 
an image. The experiments have clearly shown that using continuous chaotic 
systems can drastically reduce the encryption speed. Since there are also no 
other obvious merits in using continuous chaotic systems rather than a simple 
discrete-time chaotic map, the use of the Lorenz and Chen's systems in the 
image encryption scheme under study is unnecessary. Instead, these continu- 
ous chaotic systems can be replaced by a simpler discrete-time chaotic map 
without compromising the security. 



4 Chosen-plaintext attack 

When a variation of stream cipher is created, as in the case under study, 
obtaining the keystream is totally equivalent to obtaining the key whenever 
different plain-images are encrypted using the same key. In this section, we 
present a chosen-plaintext attack which allows to recover both the keystream 
and the shuffling matrix. 

Let us choose a plain-image Ii such that Vi,j = 1 ~ MN, Ii{i) = h(j) = a. 
In this case, the shuffling part does not work, so we have 1^ = Ii. Then, we can 
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recover the keystream as follows: Vz = 1 ~ MN, B(i) = Ii(i)(Bl[(i)(Bl[(i — l). 

After removing the masking part, we can try to recover the shuffling matrix. 
According to the general cryptanalysis on permutation-only ciphers in [13], 
only |Tog 256 (MiV)] chosen plain- images are needed to recover the shuffling 
matrix P*. In total we need |Tog 256 (MiV)] + 1 chosen plain-images to perform 
this chosen-plaintext attack. 

With the aim of verifying the proposed attack, several experiments have been 
done. One of the examples is shown in Fig. [21 where the images are of size 256 x 
256 and the secret key involved is shown in Tabled! As it was mentioned above, 
the shuffling process is broken using log 256 (MiV) = 2 chosen plain-images, 
while the masking procedure cryptanalysis requires one chosen plain-image. 
The three chosen plain-images allow to decipher the cipher-image included in 
Fig.^a) and thus to get the corresponding plain-image (Fig. [2]^b)), even when 
the secret key is unknown. 

Table 1 



Key value used in the experiment. 



xi(0) 


x 2 (0) 


x 3 (0) 


x 4 (0) 


x 5 (0) 


x 6 (0) 


iVo 


M 


x 


0.3 


-0.4 


1.2 


10.2 


-3.5 


4.4 


3000 


2000 


0.4 




Fig. 2. The result of the chosen-plaintext attack: (a) a cipher-image encrypted with 
the key as shown in Table HJ (b) the decrypted plain- image using the equivalent key 
(P*, {B(i)}f£^) obtained via the chosen-plaintext attack. 



5 Conclusions 

The security of the image encryption scheme proposed in [10] has been ana- 
lyzed in detail. The cryptanalytic results are also valid for the other scheme 
proposed in [11]. It has been shown that the equivalent secret key can be re- 
covered in a chosen-plaintext attack with only |~log 256 (MiV)] + 1 chosen plain- 
images. In addition, some other defects have also been distinguished in the 
scheme under study. Among those defects, it is necessary to emphasize the one 
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concerning the encryption speed, since it informs about the non-convenience of 
continuous-time chaotic systems for implementing fast encryption procedures. 
The weak security properties frustrate the usage of the scheme in practice. 
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